HCI FAILURE-STATE ARCHITECTURE

Convergence physics, shared silicon arbitration, and Failure-State Envelope modeling for enterprise HCI clusters

SPECIALIZATION TRACK — HCI FAILURE-STATE ARCHITECTURE

• Track Discipline: The architectural discipline governing how compute, storage, and network converge within shared silicon and the Failure-State Envelope that convergence produces under rebuild events, rolling upgrades, and concurrent node degradation.
• Primary Architectural Tension: Convergence efficiency vs. failure-domain isolation — maximizing resource utilization against the replication amplification, controller contention, and rebuild traffic that the Failure-State Envelope generates when the cluster enters a degraded state.
• Architectural Boundary: Does not govern external storage or disaggregated compute architectures — those belong to the Storage Architecture and Compute Architecture Tracks respectively. HCI convergence governs only the shared-silicon model where storage, compute, and network occupy the same physical node boundary.
• Domain Path Relationship: Deepens Stages 2–4 of the Virtualization Architecture Path — Control Plane Architecture, Storage & Network Architecture, and Deterministic Operations — where convergence physics determine platform behavior under load but the Failure-State Envelope is not modeled at depth.
• Who This Track Is For: You’re sizing an HCI cluster for production, running post-migration AHV or vSAN operations, or encountering performance anomalies under node failure or upgrade windows that don’t trace back to application code — and you need the architectural framework to model what’s actually happening at the convergence boundary.

>_ WHY THIS TRACK EXISTS

HCI architecture hides its highest failure risk inside the convergence model itself — the shared silicon boundary where storage controller demands and guest workload demands compete for the same CPU, memory, and network without external arbitration. When that boundary isn’t modeled as a Failure-State Envelope before sizing, clusters that pass pre-production validation fail under rebuild events, rolling upgrades, and migration bursts because they were sized against steady-state utilization rather than the resource condition the cluster enters during concurrent degradation. The Virtualization Domain Path covers convergence at Stages 2–4 at the breadth needed for platform selection and basic cluster design — it doesn’t resolve the controller tax modeling, replication amplification calculus, or N+1 headroom requirements against the Failure-State Envelope that production HCI operations require. This Track provides that architectural depth across five clusters: convergence physics, distributed resiliency, Failure-State Envelope modeling, platform implementation through the convergence lens, and governance portability as HCI clusters accumulate operational gravity over time.

WHAT THIS TRACK IS NOT

HCI FAILURE-STATE ARCHITECTURE — READING SCOPE

CLUSTER 01 — CONVERGENCE PHYSICS: SHARED SILICON & CONTROLLER TAX — ENTRY POINT

Where Steady State and the Failure-State Envelope First Diverge

HCI convergence places the storage controller on the same physical silicon as the guest workload — a design choice that produces the Controller Tax: the CPU, memory, and NIC capacity consumed by the storage fabric before a single guest vCPU executes. The cluster that looks healthy at 70% utilization in vCenter is running at effective capacity when the controller tax envelope and I/O spike buffer are accounted for. This cluster establishes the shared silicon physics that every subsequent cluster in this Track depends on — and that most HCI sizing exercises skip.

CLUSTER 02 — DISTRIBUTED RESILIENCY: EAST-WEST AMPLIFICATION & REBUILD PHYSICS

Replication Amplification as a First-Order Architectural Constraint

Distributed resiliency changes failure behavior from isolated component loss into coordinated east-west recovery amplification. Replication traffic, rebuild sequencing, and latency propagation become first-order architectural constraints rather than background infrastructure mechanics. The east-west fabric that handles baseline replication at RF2 is a different fabric during a node failure when rebuild traffic, replication recovery, and normal production writes all compete for the same spine links simultaneously. This cluster maps the amplification mechanics that Cluster 03’s Failure-State Envelope sizing must account for.

CLUSTER 03 — FAILURE-STATE ENVELOPE MODELING: N+1, UPGRADE PHYSICS & MIGRATION BURSTS

Sizing for the Condition the Cluster Inevitably Enters

Most HCI clusters are sized against steady-state utilization rather than the Failure-State Envelope (Framework #88) — the resource condition the cluster enters during rebuilds, rolling upgrades, replication recovery, and concurrent node degradation. Sizing for steady state produces a cluster that performs correctly until it doesn’t — then performs incorrectly at exactly the moment correctness is most critical. This cluster maps the architectural mechanics of the Failure-State Envelope and the three production scenarios where it determines whether the cluster survives or compounds into cascading instability.

CLUSTER 04 — PLATFORM IMPLEMENTATION: CONVERGENCE MODELS UNDER LOAD

How Different Convergence Architectures Express Failure-State Behavior

Platform implementation analysis at Track depth is not feature comparison — it is the study of how different convergence models express controller arbitration, replication behavior, failure recovery, and governance constraints under load. The question is not which platform has a better benchmark. It is which platform’s convergence model is compatible with your Failure-State Envelope and governance requirements. Teams that approach HCI platform selection as a feature matrix exercise select platforms they can buy but cannot size correctly — the Failure-State Envelope only becomes visible when you model the convergence architecture, not the specification sheet.

CLUSTER 05 — GOVERNANCE PORTABILITY & PLATFORM SOVEREIGNTY

When HCI Governance Dependencies Become Architectural Commitments

HCI platforms are not merely infrastructure stacks — they are governance systems with embedded operational assumptions, lifecycle tooling, replication models, and policy authority surfaces. Sovereignty begins when those governance dependencies become portable rather than vendor-bound. This cluster covers why HCI clusters become operationally sticky over time, how that stickiness accumulates through backup integration, observability calibration, and operational muscle memory, and what it takes to make platform governance portable enough to exit intentionally rather than by force. The Fragmented Control Plane that emerges during VMware coexistence is the same governance architecture problem that HCI platform gravity creates at a slower cadence — both require deliberate architectural design to manage.

THE CONVERGENCE TRAP — THREE SIZING ERRORS THIS TRACK CLOSES

The three most common HCI sizing errors each map to a specific cluster. Error 1 — ignoring the controller tax: treating the published CPU and memory specs as fully available for guest workloads rather than netting the controller baseline before any VM allocation. Cluster 01 addresses this. Error 2 — sizing for baseline replication traffic: modeling east-west fabric against normal RF2 writes rather than against the amplified traffic of a simultaneous rebuild and production write load. Cluster 02 addresses this. Error 3 — sizing for steady-state utilization: planning headroom against average VM utilization rather than against the Failure-State Envelope that determines whether the cluster survives a node failure mid-upgrade window. Cluster 03 addresses this. All three errors produce clusters that size correctly on paper and fail in production at the worst possible moment.

THE REBUILD WINDOW — WHY UPGRADE PHYSICS AND NODE FAILURE SHARE THE SAME MATH

A rolling upgrade is a controlled failure event. The resource math for a node entering maintenance mode during an upgrade is identical to the resource math for a node failure — in both cases, the surviving nodes absorb the workload, rebuild traffic floods the east-west fabric, and the cluster enters the Failure-State Envelope for the duration. The only difference is that an upgrade is scheduled and a failure is not. This means the N+1 headroom model applies identically to both scenarios. Clusters sized for upgrade windows without modeling the simultaneous controller contention and rebuild traffic are sized for a scenario that never actually occurs in production — and will enter the Failure-State Envelope exactly when the upgrade window opens.

STEADY STATE VS FAILURE STATE — WHAT ARCHITECTS ACTUALLY SIZE FOR

PLATFORM GRAVITY — WHY HCI CLUSTERS BECOME OPERATIONALLY STICKY

Platform gravity is not visible at procurement. It accumulates through six channels that each independently increase the governance cost of platform exit: backup integration calibrated to the convergence model, lifecycle tooling tuned to the upgrade cadence, observability thresholds built against the platform’s specific failure signatures, replication mechanics encoded in DR runbooks, operational muscle memory accumulated through production incidents, and vendor support relationships built around platform-specific escalation paths. None of these is an argument against committing to HCI. All of them are arguments for treating the platform selection decision as a governance commitment rather than a procurement event — and for building sovereignty into the operational model before gravity makes exit prohibitively expensive. Cluster 04 covers the platform constraint analysis. Cluster 05 covers what portable governance of those commitments actually requires. The Migration Strategy Track covers what happens when governance portability isn’t designed in from the start. The Sovereign Virtualization Architecture stage is where those commitments resolve at the strategic architecture level.

HCI architecture at Track depth means the convergence model is no longer opaque — the Failure-State Envelope, controller tax, and replication amplification are modelable before the first node order. The distinction between a cluster sized for steady state and one sized for the degradation condition it will inevitably enter is now a first-class design input, not a post-incident discovery. Platform selection is now a governance commitment analysis, not a feature comparison exercise.

• Model the Failure-State Envelope before cluster sizing — controller tax, rebuild amplification, N+1 headroom, and upgrade window buffer as a unified resource boundary rather than independent sizing parameters
• Calculate east-west fabric capacity against replication amplification and rebuild burst profiles, not baseline workload traffic — and validate that the fabric holds across all five operational modes in the steady-state vs failure-state table
• Evaluate HCI platform implementation tradeoffs through the convergence physics lens — how each platform’s controller model expresses failure recovery and governance constraints, not which has the more favorable benchmark
• Distinguish governance portability from feature availability — assess whether HCI lifecycle tooling, replication models, and policy authority surfaces are portable before Platform Gravity makes exit architecturally expensive
• Apply HCI Failure-State Envelope constraints to adjacent architecture decisions — data protection recovery traffic, AI inference cluster sizing, and Kubernetes node density all inherit the same convergence physics this Track governs, making the Failure-State Envelope model directly reusable across disciplines

>_ WHERE DO YOU GO FROM HERE

YOUR HCI SIZING MATH IS PROBABLY MISSING THE FAILURE-STATE ENVELOPE

If your cluster is sized against steady-state utilization rather than the Failure-State Envelope, the Migration Readiness Assessment surfaces the controller tax gap, rebuild amplification exposure, and N+1 headroom deficit before they become a production incident.